• SECTION I - MALWARE ANALYSIS - week Sep 26
  UPDATE: results bellow. - Sep/30/2005

This section is intended to share some knowledge about malwares.

Since this is the first one, we will start with some basic questions. Based on the following outputs of the strings unix command of some malwares, please answer the following questions:

1. What is a PE file?
2. What is a PE packer?
3. Looking just at the strings files from real malwares, do you think that they were packed with some packer? If so, which one?

 File 1  -  File 2  -  File 3  -  File 4  -  File 5  -  File 6

Please submit your answers to my email until next thursday (Sep 29)  if you are interested, if not, I will post the answers here anyway on friday (Sep 30) .:)

• Results!

Ok! It is time to know the results of our first test!

First of all, I would like to thank you all for the great feedback received on this first one! I got some really smart answer and as I forgot to ask permission to publish their names here, I will just use the first name. After all, you know who you are...!:)

1. What is a PE file:

Lets start with the classics...:) Anton Chuvakin, one of the authors of Securit Warrior book, defines it as:
"The PE file format
The native file format of Windows is the Portable Executable (PE). “Portable” means that all Windows platforms and processors recognize the program. In order to under-stand the process of unpacking a compressed application, it is first necessary to under-stand the structure of the Win32 PE file format (Figure 2-8). This format has remained relatively constant over the years, even with newer 64-bit Windows platforms."

Derek also pointed a good one:

"The Portable Executable (PE) format is an executable file format used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's portability across all 32-bit (and by extension 64-bit) Windows operating systems. The PE format is basically a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, and resource management data. On NT operating systems, the PE format supports EXE, DLL, OBJ, and other file types."

2. What is a PE packer:

First, lets make something clear: not all packers are 'evil'! :) I already saw many packers being used 'for good' in both commercial and non-commercial softwares...SOME I never saw being used in good softwares...but this we will discuss in another time... :-)

Colin pointed that..."A PE packer compresses and/or obsfucates the contents of a PE file by rearranging the sections of the binary file to eliminate blank
  sections of the file and/or compresses parts of it and inserts its own decompressor routines. The effect of this is that you can make a file more compact, and thus easier to slip onto an infected computer because - Its smaller size prevents the internet connection grinding to a halt while the malware is downloaded from a remote site, the e-mail containing the malware is downloaded, or the web page with an ADOB.Stream / ITMS exploit is smaller."

Dr. Neal says that "The goal for most packers is to obscure opcodes and functions:
 - Limits unauthorized code theft.  (Even virus writers have a sense of "proprietary code".)
 - Obscures network addresses, URLs, IRC channels, etc.
 - Hinders code modification (like cracking tools that remove licensing
   requirements)
 - Makes code smaller.  (Why download a 100Meg file when you can download
   a 20Meg file that self-uncompresses?)"

Nice ones, right!?

3. Looking just at the strings files from real malwares, do you think that they were packed with some packer? If so, which one?

First, very good job, all of you! Remember, you made assumptions based only on the strings generated by the #strings -a <file>  . And most of you got it right!

Bellow I will include the answers. My answers are based on the strings analyzed and later confirmed by a software, which we will discuss later too...:)

-> File 1: visualize.scr-ebd92f1bff47ed100d49a555f3c03c3e.strings.txt

The strings bellow are right on the begining of the file:

This program must be run under Win32
UPX0
UPX1
.rsrc
1.25
UPX!

These UPX0, UPX1 and UPX! are typical from files packed with the UPX packer (upx.sourceforge.net). The 1.25 is the UPX version. Dr. Neal also pointed something that I didnt know, that when you have a registered version of UPX, the string UPX2 will also appear there.

Answer: Packer UPX

-> File 2: voxcard.exe-01a1d472a9bd3702ebe7a5ad8f4d5e16.strings.txt

The strings bellow are right on the begining of the file:

This program must be run under Win32
CODE
DATA
.idata
.tls
.rdata
.reloc
.rsrc
.aspack
.adata

Basically in all files packed with the ASPACK packer will include the section .aspack. Another section included by ASPACK can have its name configurable. The default is .adata, as in our example above. :)

-> File 3: wwlink.exe-da57aa6eea6ff3ea3166f53da11aec74.strings.txt
-> File 4: wyvisualizar.exe-f04cb834ac843ad08a1a5c17e4f67ba3.strings.txt

Both File 3 and File 4 have the same packer...which one??! I got almost the same amount of answers for ASPACKDie! and PECompact2 ...

The answer is....

PECompact2!

Why??!

Well...the question is quite simple...Lets look at the first 6 lines of the strings:

!This program cannot be run in DOS mode.
RichA
[AspackDie!]
.text
PEC2
.rsrc

Guys, AspackDie! is what we call 'unpacker' application...as you have the packers (to pack the pe)...:) you have the unpackers to get it back!:) AspackDie! is an unpacker for ASPACK...now it makes sense, right? It is like if the application says: "ASPACK, DIE!" :) ok...that was horrible...:)

Now you may be asking yourself: So, the hacker packed it with aspack, then unpacked with aspackdie and later decided to pack again with PECompact2?

The answer is: I Dont Know!:) My personal bet is: The original hacker created the application, then, another hacker got a copy of the malware, unpacked it, got some hex editor and changed some stuff and then, packed again, this time with PECompact2. Does it makes sense to you?
By the way, some of you that told me that it was a different binary, you were correct!

All those numbers after the malware name are the md5sum of the malware...;-).

-> File 5: x1.exe-0c7ec6408547fcd0647a2a4790987935.strings.txt

x1.exe...tuff one?:) Many of you told me that this one looks like wanst packed...well...kind of...this one was 'packed' with WinRAR (www.rarlab.com). WinRAR is very used because it, besides compact the file, can also create 'stealth' self-extracting files, and with some additional options, like the path to be installed...

Look at the strings bellow:

%sRarSFX%d
.lnk
.inf
Install
.exe
Software\WinRAR SFX
RarHtmlClassName
 

-> File 6: XYE496X5YITRR.exe-b1339276f1918db3ba31a91612e4a250.strings.txt

Ok, this one hasn't much mystery...it is a pure PECompact2 packer...:)

!This program cannot be run in DOS mode.
Rich
Xx0C
.text
PEC2
.rsrc
,Xh($
ject1
ltFp.7
PECompact2
 

Did you see the PEC2 and PECompact2 above? These are clear signs of PECompact2...!

FINAL WORDS:

Ok, this was fun! If you liked , check the next one here!

Btw, the tools can be found at:
- UPX - http://upx.sourceforge.net
   - basic usage: To pack:  upx  <file>     //   To unpack:  upx -d <upx_packed_file>

- WinRAR trial - http://www.rarlab.com/download.htm
   - Linux version basic usage: To unrar:  unrar x <rar_file>

- Strings command:
   - basic usage:  strings -a <file>